KuppingerCole Analysts' View on Compliance Risks for Multinationals



Cloud, Data Protection & Liability

Dr. Karsten Kinast

Whether public, private or hybrid clouds, whether SaaS, IaaS or PaaS: All these cloud computing approaches are differing in particular with respect to the question, whether the processing sites/parties can be determined or not, and whether the user has influence on the geographical, qualitative and infrastructural conditions of the services provided.

Therefore, it is difficult to meet all compliance requirements, particularly within the fields of data protection and data security. The decisive factors are transparency, controllability and influenceability of the service provider and his way of working. Problems arise so far in particular with respect to the public cloud.

In order to avoid liability risks and to achieve a better perspective on business continuity, it is in your interest as the contractor to remain „master of the data“.

Some existential needs arise from this:

1. Open, transparent and detailed information from the service provider about its technical and organizational measures and the legal framework of services.

This is usually the case in practice. However, seen from your perspective as the service contractor, it is not always verifiable to a degree required by the relevant laws in order to avoid you to be liable for errors originally committed by the service provider while providing the services.

Challenge your Service Provider for his documentation of technical and legal measures. Don't expect him to be sufficient just because he is representing a large organization or is offering the best price on the market.

2. The implementation of coordinated security measures on the part of cloud providers and cloud users.

In order to comply with local legislation and your own corporate policies, cloud providers need to apply more than just their own rules to the services provided to you. As usually seen in practice, providers do have difficulties to move beyond their own terms and conditions and listen to your legal and corporate needs.

If the Service Provider does not offer to customize the terms of delivering his services to your needs, it's not your Service Provider.

3. Transparent and clear service and data protection agreements (Controller-to-Processor Agreements), in particular with a regulation respective the site of the data processing and the notification of any change of location.

The contractual dimension decides on the compliance of the use of cloud services and gains in the wake of a non-European cloud again immensely in importance.

Have all contractual documents checked professionally. You will not be able to estimate the legal implication unless you're an expert in international data protection laws. If you accept the wrong legal contracts, it will be your liability whatever the service provider decides to do with your data.

4. The submission of current certificates relating to the relevant technical infrastructure.

The certificates should ensure information security as well as portability and interoperability through independent testing organizations. There are sometimes certificates awarded that affect only parts of the necessary measures.

Don't trust certificates as if there were given by god. The idea of a certificate is not to allow you stop thinking. Make up your own mind and don't blindly follow the mainstream.

5. The problem with cloud services involving non-EEA countries is that - in particular U.S.-American - authorities sometimes access personal data / Personal Identifiable Information (PII) without any legal cause (according to a European perspective) and without complying to the principles of proportionality and purpose limitation on personal data / PII.

These accesses imply a data protection violation committed by the European contractor – not necessarily the international cloud service provider – against employees, customers and other service providers.

If only one of your companies is based within the EU, you have to be aware of the fact, that it is much harder and often even impossible for your company to remain compliant with the data protection laws if your service provider is placed outside the EEA. On the economic side, this means that you either have to add the risk of damages and fines from non-compliance to your ROI calculation, which could easily turn it upside-down, or stay with service providers placed inside the EEA.



The Art of Ignorance – is it really folly to be wise?

Martin Kuppinger

Few days ago, IBM sent out a press release announcing that the company had patented the design for a “data privacy engine” that can protect personal data more efficiently and affordably as it is transferred between countries, in compliance with both organizational policies and local laws.

This announcement turns the spotlight on a challenge that multi-national organizations in particular are facing today: regulation sprawl. In the face of an increasing number of regulations, covering a broad variety of topics such as privacy, export regulations, anti-money laundering, and many others; staying compliant is not always easy.

While there are a number of common concepts in regulations, such as traceability, regulations both within a country and across different countries are often in conflict. The aspect IBM is focusing on provides good examples of this conflict. Some data that would be considered as personal data needing protection in Germany may not be classified this way in Mexico and vice versa. In another example; some years ago, Deutsche Bahn (the German state-owned railway) violated data protection regulations during an anti-fraud initiative. According to one set of regulations, they were required to act against fraud; however, when analyzing the flow of fraudulent payments they violated the data protection law.

While many organizations have established a governance organization that analyzes the range of regulations applying across all the various countries in which they operate, we still frequently observe another approach that might be described as “the art of ignorance”. This is especially true when it comes to cloud computing. Both cloud service providers and cloud customers seem to exercise that art.

There are still many cloud service providers, which do not have sufficient insight in local laws such as the data protection laws across the various EU countries. Thus, there is massive variation in the answers given to common questions such as: support for standard contracts that are in accordance with EU regulations and local law for personal data, and the location and operation of data centers. This is sometimes hard to understand because, obviously the better the answers, the more business these cloud service providers will obtain.

The same holds true for some (potential) consumers of cloud services. Some just avoid moving to the cloud due to the uncertainty they feel; while others just do it anyway despite the uncertainty hoping that the rewards will be worth it. However, to properly balance risk against reward, you need to understand the risks, both from a compliance perspective and from a technical and organizational perspective. (This could be understood as being part of governance anyway, for example, an organization might want to align with ISO 2700x and other standards). It is better to make the effort to understand the risks instead of just ignoring them or, on the other hand, to miss the opportunities cloud services offer just because of the uncertainty.

There is a famous quotation from a work by the English poet Thomas Gary “where ignorance is bliss, 'tis folly to be wise”. This was a reflection on the time during his youth, when he was allowed to be ignorant and content. However, organizations cannot afford the contented ignorance of youth. Ignorance is no excuse in the law and ignorance does not help to make good decisions balancing risk with reward. Organizations need knowledge to understand their obligations in order to understand the costs of compliance across all of their operations and markets. They need to understand the potential conflicts in order to plot a safe course through compliance with multiple regulations. Only through knowledge is it possible to manage risk and truly ensure that the rewards really balance the risks. In this case, ignorance is not bliss.

Related KuppingerCole Research

Related KuppingerCole Podcasts

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00

Stay Connected

Subscribe to our Podcasts

KuppingerCole Podcasts - listen anywhere


AI for the Future of Your Business Learn more

AI for the Future of Your Business

AI for the Future of your Business: Effective, Safe, Secure & Ethical Everything we admire, love, need to survive, and that brings us further in creating a better future with a human face is and will be a result of intelligence. Synthesizing and amplifying our human intelligence have therefore the potential of leading us into a new era of prosperity like we have not seen before, if we succeed keeping AI Safe, Secure and Ethical. Since the very beginning of industrialization, and even before, we have been striving at structuring our work in a way that it becomes accessible for [...]